Let's Encrypt: Migrating From TLS-SNI-01
source link: https://www.vultr.com/docs/let-s-encrypt-migrating-from-tls-sni-01
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Let's Encrypt is a free service that generates certificates to secure your website. It supports generating different types of certificates, including single-domain and wildcard. In addition, it has numerous methods to authenticate your domain to generate a certificate.
http-01
(Simple HTTP)dns-01
(DNS validation)tls-sni-01
(Validation through the use of a self-signed certificate - now deprecated)
The issue
Unfortunately, a vulnerability was discovered in January of 2018 where it became possible to generate certificates for domains without prior authentication/authorization. For example, certificates could be generated for domains that you do not actually own.
Shortly after, the protocol (tls-sni-01
) was discontinued and most new issuances (new certificates) were blocked from using the protocol to authenticate.
Switching to Simple HTTP
Switching to http-01
or "Simple HTTP" authentication is fairly simple. If you are using certbot-auto
to generate your certificates, Let's Encrypt will have already generated a new certificate or will do so automatically during the next "renewal."
If you are using certbot
, you should use the --preferred-challenge
parameter:
certbot (...) --prefered-challenge
This will tell Let's Encrypt to switch to http-01
.
Switching to DNS validation
If you want to avoid all of this hassle, it is relatively easy to configure Let's Encrypt's DNS validation. When executing certbot
, add --preferred-challenges dns
as a parameter:
certbot -d example.com --manual --preferred-challenges dns
certbot
will print something similar to the following:
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:
(random_string)
Once this is deployed,
Press ENTER to continue
Once you add the record with your DNS provider, hit ENTER. You will then need to set-up a CRON job to automatically renew your certificate. As DNS validation has been used, you will not have to worry about redirection like you would for http-01
, (port 80
to port 443
).
Want to contribute?
You could earn up to $600 by adding new articles
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK